...does what it says on the tin. Nationwide again, again. : comments.
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
|
1
|
2
|
3
|
4
|
|||
|
5
|
6
|
7
|
8
|
9
|
10
|
11
|
|
12
|
13
|
14
|
15
|
16
|
17
|
18
|
|
19
|
20
|
21
|
22
|
23
|
24
|
25 |
|
26
|
27
|
28
|
29
|
30
|
31
|
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
(no subject)
Prior to the card readers, an attacker just needed to steal your web login details to steal money from your account. This can be done e.g. with a trojan on your computer that runs long enough to pick up the full details where you only enter partial information on each login.
With card readers, then an attacker *also* needs some way to construct the correct response to the issued challenge. If it's possible to clone the chip on a C&P card, then an attacker could do this, e.g. with a trojaned C&P machine in a shop. But the vector for doing that and the vector for stealing your login details are very different, so it'll be much harder - probably you'd need to operate a big database, grab people's details opportunistically, and hope that a few of them would match up. If it's not possible to clone the chip, then the only attack is to steal the card.
So I think they're worthwhile, and I think (Nationwide's adminstrative incompetence aside) that they've implemented it in basically the best way they could.